PCI-DSS 4.0 Pentest — Requirement 11.4 with QSA
Pentest aligned with PCI-DSS 4.0 req 11.4 (penetration testing) — internal + external + segmentation testing. Accepted by QSAs in annual audits and after significant change.
Why now
The real pain
Acquirers, payment gateways, card-processing e-commerce, fintechs with TEF — PCI-DSS req 11.4 demands annual pentest and after each significant change. The QSA scrutinizes the report. Disguised scans don't pass. Poor CDE scope or segmentation documents don't pass either.
Standard and reference
/attack-surface
PCI-DSS 4.0
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Req 11.4.1 — Documented methodology
PTES + OWASP + NIST SP 800-115 coverage with explicit internal/external criteria.
Req 11.4.2 — Internal pentest
CDE network, in-scope segment attack, lateral movement, escalation.
Req 11.4.3 — External pentest
WAN perimeter, exposures, web application, API consumed by terminal/POS.
Req 11.4.4 — Significant change
Extraordinary pentest after CDE change, new application, new provider.
Req 11.4.5 — Segmentation testing
Validation that CDE is isolated from not-in-scope. Critical — failure here expands PCI scope.
Req 11.4.6 — Service provider
For PCI service providers, semiannual pentest on segmentation controls.
Req 11.4.7 — Remediation and retest
Evidence of exploitable finding fixes + documented retest.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Acquirers, gateways, e-commerce with card-present. Pentest accepted by recognized QSAs for annual PCI-DSS 4.0 certification.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — PCI-DSS 4.0
What did PCI-DSS 4.0 change about pentest?
It explicitly split methodology (11.4.1), internal (11.4.2), external (11.4.3), post-change (11.4.4) and segmentation (11.4.5). Retest is now explicit. It also introduced the customizable approach with risk analysis.
Does QSA accept the report?
Yes. PCI-aligned template with CDE scope, segmentation tested, documented retest and reproducible PoC. Already accepted by active QSAs in Brazil.
How long does it take?
Typical engagement: 4-8 weeks. Small e-commerce CDE: 3-4 weeks. Acquirer CDE with TEF + gateway: 6-10 weeks.
How does segmentation testing work?
We try to reach the CDE from not-in-scope hosts. If we succeed, segmentation has failed and PCI scope expands. This is one of the most-inspected points by QSAs in 4.0.
/contact
Get a PCI-DSS 4.0 pentest quote
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.